Resources for the Check Point Community, by the Check Point Community.

I'd like to thank everyone involved for making "The CPUG Challenge" a great success.We helped a lot of people see and learn a bit more about R80.10, while having some fun.We will be using this success to try and bring more events to more locations soon. -E

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Application Control with cleanup rule in Firewall policy

Hello again. Just wondering how the Application Control stuff is supposed to work when there's a cleanup rule at the end of the firewall policy? The traffic gets dropped before it gets a chance to get to the Application Control blade. Am I missing something?

Re: Application Control with cleanup rule in Firewall policy

Originally Posted by cdooer

Hello again. Just wondering how the Application Control stuff is supposed to work when there's a cleanup rule at the end of the firewall policy? The traffic gets dropped before it gets a chance to get to the Application Control blade. Am I missing something?

I'm assuming you are referring to R77.30 or earlier management.

The connection that will carry the application data must be explicitly permitted first by the main firewall policy based on IP addresses and port numbers. In the case of TCP, there is no data/payload for APCL/URLF to start looking at via its policy until the TCP 3-way handshake is allowed to complete and data begins to flow.

In R80+ management use of so-called ordered layers retains this basic methodology, and the different blade policies that were represented on different tabs across the top of the R77* SmartDashboard are instead shown as separate policy layers on the left hand side under the "Security Policies" tab of the R80+ SmartConsole.

Unified/inline layers can be used with R80.10+ gateways and have some pretty interesting capabilities, including the ability to explicitly decide if the implied cleanup rule of a policy layer is an Accept or a Drop. Way beyond the scope of this post though. :-)